Abstract: A computer-implemented method according to one embodiment includes training a bidirectional encoder representations from transformers (BERT) model to generate a software representation. An intermediate representation (IR) of a software package is input to the trained BERT model, and a software representation corresponding to the software package is received as output from the trained BERT model. A computer program product according to another embodiment includes a computer readable storage medium having program instructions embodied therewith. The program instructions are readable and/or executable by a computer to cause the computer to perform the foregoing method. A system according to another embodiment includes a processor, and logic integrated with the processor, executable by the processor, or integrated with and executable by the processor. The logic is configured to perform the foregoing method.

Abstract: A method, system and apparatus for software intelligence as-a-service, including decomposing software into functional blocks to provide a software genome, building a representation of the software genome in a knowledge graph linking granularities of the functional blocks, and identifying issues with a target software based on the knowledge graph.

Abstract: A method to test an OS kernel interface, such as an eBPF helper function. The interface has a grammar that defines the kernel interface. Testing is carried out using eBPF code that invokes and tests the interface using a fuzzing engine. To facilitate the process, additional user space code is configured to generate at least one kernel event that triggers the eBPF code to run, and to transform inputs from the fuzzing engine according to the grammar that defines the kernel interface. After loading the eBPF code into the OS kernel, the user space code issues the kernel event that causes the eBPF code to run. In response, and as the fuzzing engine executes, the eBPF code records arguments sent to the OS kernel through the kernel interface. The arguments are passed through a data structure shared by the eBPF code and the user space code. By recording the arguments and other diagnostic information, the security of the kernel interface is evaluated.

Abstract: A cloud based implemented method (and apparatus) includes receiving input data including bipartite graph data in a format of source MAC (Media Access Control) address data versus destination IP (Internet Protocol) data and timestamp information, and providing the input bipartite graph data into a first processing to detect malicious beaconing activities using a lockstep detection module on the input bipartite graph data, as executed in a cloud environment, to detect possible synchronized attacks against a targeted infrastructure.

Abstract: A neural network is augmented to enhance robustness against adversarial attack. In this approach, a fully-connected additional layer is associated with a last layer of the neural network. The additional layer has a lower dimensionality than at least one or more intermediate layers. After sizing the additional layer appropriately, a vector bit encoding is applied. The encoding comprises an encoding vector for each output class. Preferably, the encoding is an n-hot encoding, wherein n represents a hyperparameter. The resulting neural network is then trained to encourage the network to associated features with each of the hot positions. In this manner, the network learns a reduced feature set representing those features that contain a high amount of information with respect to each output class, and/or to learn constraints between those features and the output classes. The trained neural network is used to perform a classification that is robust against adversarial examples.

Abstract: Program analysis is provided. An intermediate representation of a program is generated. A set of structured inputs is provided to the program. The set of structured inputs are derived from the intermediate representation. The program is executed using the set of structured inputs. A set of action steps is performed in response to observing a violation of a policy during execution of the program using the structured inputs.

Abstract: An automated technique for security monitoring leverages a labeled semi-directed temporal graph derived from system-generated events. The temporal graph is mined to derive process-centric subgraphs, with each subgraph consisting of events related to a process. The subgraphs are then processed to identify atomic operations shared by the processes, wherein an atomic operation comprises a sequence of system-generated events that provide an objective context of interest. The temporal graph is then reconstructed by substituting the identified atomic operations derived from the subgraphs for the edges in the original temporal graph, thereby generating a reconstructed temporal graph. Using graph embedding, the reconstructed graph is converted into a representation suitable for further machine learning, e.g., using a deep neural network. The network is then trained to learn the intention underlying the temporal graph.

Abstract: An automated method for processing security events. It begins by building an initial version of a knowledge graph based on security information received from structured data sources. Using entities identified in the initial version, additional security information is then received. The additional information is extracted from one or more unstructured data sources. The additional information includes text in which the entities (from the structured data sources) appear. The text is processed to extract relationships involving the entities (from the structured data sources) to generate entities and relationships extracted from the unstructured data sources. The initial version of the knowledge graph is then augmented with the entities and relationships extracted from the unstructured data sources to build a new version of the knowledge graph that consolidates the intelligence received from the structured data sources and the unstructured data sources. The new version is then used to process security event data.

Abstract: An approach for detection of malware is disclosed. The approach involves the use of using IR level analysis and embedding of canonical representation on a suspecting sample of software code. The approach can be applied to both malicious and benign software. Specifically, the approach includes converting a binary code to an IR (intermediate representation), canonicalizing the IR into a canonical IR, extracting one or more similarity representation based on the extracted features and comparing the one or more similarity representation to known malware.

Abstract: An intrusion detection system (IDS) for a micro-services environment identifies attacks in substantially real-time and at a container-level. In this approach, behavior models are generated from container images using a binary analysis. A behavior model is a graph data structure having nodes and edges, wherein an edge represents a system call made by at least one process represented as a node in the graph data structure. The model is co-located with a running container, thereby enabling detection of anomalies as the container executes in a container environment on a hardware node. A per-container IDS function is instantiated by checking whether system call telemetry generated by an image's running container satisfies the associated behavior model that has been generated for the container image. If the telemetry indicates activity that deviates from the behavior model, an automated action is then initiated to attempt to address the attack, preferably while it is in progress.

Abstract: An encoder includes a computer readable storage medium storing program instructions, and a processor executing the program instructions, the processor configured to generate a key, estimate a network capacity, and encode each bit of the key using a random matrix of a selected rank and the estimated network capacity for secure transmission of the key through a network.

Abstract: A processor-implemented method generates adversarial example objects. One or more processors represent an adversarial input generation process as a graph. The processor(s) explore the graph, such that a sequence of edges on the graph are explored. The processor(s) create, based on the exploring, an adversarial example object, and utilize the created adversarial example object to harden an existing process model against vulnerabilities.

Abstract: Malware is detected and mitigated by differentiating HTTP error generation patterns between errors generated by malware, and errors generated by benign users/software. In one embodiment, a malware detector system receives traffic that includes HTTP errors and successful HTTP requests. Error traffic and the successful request traffic are segmented for further analysis. The error traffic is supplied to a clustering component, which groups the errors, e.g., based on their URI pages and parameters. During clustering, various statistical features are extracted (as feature vectors) from one or more perspectives, namely, error provenance, error generation, and error recovery. The feature vectors are supplied to a classifier component, which is trained to distinguish malware-generated errors from benign errors. Once trained, the classifier takes an error cluster and its surrounding successful HTTP requests as inputs, and it produces a verdict on whether a particular cluster is malicious.

Abstract: A method to detect anomalous behavior in a computing system begins by training a graph neural network (GNN) in an unsupervised manner by applying contrastive representation learning on sets of positive samples and negative samples derived from one or more heterogeneous graphs using meta-path sampling. Following training, a temporal graph derived from system-generated events is received. The GNN is used to embed the temporal graph into a vector representation in a vector space. The trained GNN is also used to embed a set of attack pattern graphs into corresponding vector representations in the vector space. For anomaly detection, the representation corresponding to the temporal graph is compared to the representations corresponding to the attack pattern graphs. In one embodiment, the comparison is implemented using a fuzzy pattern matching algorithm. If a fuzzy match is found, an indication that the temporal graph is associated with a potential attack on the computing system is then output.

Abstract: Program analysis is provided. An intermediate representation of a program is generated. A set of structured inputs is provided to the program. The set of structured inputs are derived from the intermediate representation. The program is executed using the set of structured inputs. A set of action steps is performed in response to observing a violation of a policy during execution of the program using the structured inputs.

Abstract: Unknown and reference signatures are accessed. The unknown and reference signatures indicate patterns that correspond to known threats to resources (such as computer systems and/or computer networks) in a computer environment and comprise a multitude of descriptive elements having information describing different aspects of a corresponding signature. A set of similarity measures is created of the unknown and reference signatures from different perspectives, each perspective corresponding to a descriptive element. The set of similarity measures are integrated to generate an overall similarity metric. The overall similarity metric is used to find appropriate categories in the reference signatures into which the unknown signatures should be placed. The unknown signatures are placed into the appropriate categories to create a mapping from the unknown signatures to the reference signatures.

Abstract: USB traffic is intercepted between a USB device and a computer system. It is determined whether the USB device has previously had a policy associated with it as to whether USB traffic from the device should be blocked, allowed, or sanitized. In response to not having a previous policy for the USB device, a request is made for a user to be prompted to provide a policy of one of block, allow, or sanitize for the USB device. In response to a user-provided-policy, one of the following are performed: blocking the traffic, allowing the traffic, or sanitizing the traffic between the USB device and the computer system. Apparatus, methods, and computer program products are disclosed.

Abstract: An encoder including a computer readable storage medium storing program instructions, and a processor executing the program instructions, the processor configured to construct an encoded message using a message and a random element, construct a hash using a shared secret, and transmit the encoded message and the hash to a destination, through a network.

Abstract: Adaptive verifiable training enables the creation of machine learning models robust with respect to multiple robustness criteria. In general, such training exploits inherent inter-class similarities within input data and enforces multiple robustness criteria based on this information. In particular, the approach exploits pairwise class similarity and improves the performance of a robust model by relaxing robustness constraints for similar classes and increasing robustness constraints for dissimilar classes. Between similar classes, looser robustness criteria (i.e., smaller ?) are enforced so as to minimize possible overlap when estimating the robustness region during verification. Between dissimilar classes, stricter robustness regions (i.e., larger ?) are enforced. If pairwise class relationships are not available initially, preferably they are generated by receiving a pre-trained classifier and then applying a clustering algorithm (e.g., agglomerative clustering) to generate them.

Abstract: A neural network is augmented to enhance robustness against adversarial attack. In this approach, a fully-connected additional layer is associated with a last layer of the neural network. The additional layer has a lower dimensionality than at least one or more intermediate layers. After sizing the additional layer appropriately, a vector bit encoding is applied. The encoding comprises an encoding vector for each output class. Preferably, the encoding is an n-hot encoding, wherein n represents a hyperparameter. The resulting neural network is then trained to encourage the network to associated features with each of the hot positions. In this manner, the network learns a reduced feature set representing those features that contain a high amount of information with respect to each output class, and/or to learn constraints between those features and the output classes. The trained neural network is used to perform a classification that is robust against adversarial examples.